These past few days have seen numerous packet attacks against some very prominent institutions. Now while most of these are simply PR and marketing front-ends, and not truely the operating environments, the attacks are annoying and introduce a few specific threats and concerns that should be considered today in your environment and for the future of the internet.
- Wall Street Journal Article on South Korea and U.S. Sites being attacked
- MarketWatch article on Denial of Service attacks on NYSE
- NYSE Press Release on CyberAttack
- CNBC Article on NYSE Cyber Attack (may require refresh; reports of web page being ‘unavailable’, a bit ironic)
More packets are not the answer – The typical response to an attack is to attack back, or add encryption, or create greater integrity checks on the data. Adding to the pile of data pushing through a pipe (by increasing size for cryptos and md5 hashes) only clogs the system that is already clogged. Careful consideration should be taken in rolling out additional solutions without consideration to the matrial effect such solutions and technologies will have on the environment and attack threat.
Seperate is not always separate – It is common and best practice to operate core business services on secure environments that are resilient to such DDoS attacks and other common public internet attack vectors. Unfortunately sometimes the technical architectures overlap and cross as a result of cost management and simple lack policies and procedures. These public attacks should highlight the need to carefully review:
- Your current redudant and resilient environments
- Careful review and continued adherence to your change control and approval program.
Attacks may appear closer then they appear – These attacks are originating from someplace, but not the place where one thinks. The attackers have employed trojaned computers from around the world and are orchestrating this through a command and control server. This is a very common practice. Investigators, businesses, and governments should be cautious in pointing fingers as to the source due to the ability to take over systems from one country or from the whole world.
Regulating bandwidth – Today most organizations throttle bandwidth for different types of traffic and based on source-destination ip addresses. It is quite conceivable we could live in an online world where DoS attacks are ongoing and continuous. The next step in the arms race would be a land grab on routers and other devices to secure virtual private channels. Conceivably one could see Google locking a specific set of traffic for every network device.
More thoughts spring to mind, but this is a reminder to take technology problems through a thought through strategy, and not through one-off shots.
James DeLuccia IV